The concept of network mobility allows users to be contacted even when they are away from their homes (out of homes).
A typical technique to allow such an action to be achieved is one using mobile IP as defined in “Mobility Support in IPv6”, Internet Engineering Task Force Request For Comments 3775, June in 2004 (hereinafter “Non-patent Document 1”).
With the use of the mobile IP technique, even when a user unplugs a mobile device from its communication cable connection, the connectivity is transferred from the user's home DSL line (cable connection) over to a cellular access system (wireless connection). The switching from the cable connection to the wireless connection can permit the user to continue downloading a file or conducting a voice over IP (VoIP) conversation.
Accordingly, a user can move around with a mobile device, and can keep seamless network connectivity even when the user is out of home by switching to a wireless connection point.
Further, the user is able to form a mobile personal area network (PAN) and maintain seamless network connectivity while traveling around. A typical technique that achieves such a PAN like network mobility would be a network mobility (NEMO) as defined in “Network Mobility (NEMO) Basic Support Protocol”, Internet Engineering Task Force Request For Comments 3963, January in 2005 (hereinafter “Non-patent Document 2”).
Nodes within the mobile PAN are able to communicate with other global nodes by routing their intended data traffic through mobile routers (MR) that are located within the mobile PAN.
The MR registers its current location address, also known as Care-of-Address (CoA) with a home agent (HA; mobile information managing apparatus). The home agent (HA) functions as a router within the user's home network and intercepts packets destined for the home address of the mobile node, encapsulates the packets, and tunnels the encapsulated packets to the registered CoA of the mobile node.
In NEMO, while the MR is on a foreign link, a bi-directional tunnel is established between the MR and the HA to permit packets to be sent to each other via the bi-directional tunnel. As described in Non-patent Document 2, every traffic originating from and terminating at the mobile PAN is sent via the bi-directional tunnel.
A user may authorize foreign nodes to operate within the user's mobile PAN. Hereinafter, this foreign node may be called “visitor node (VN)”.
A VN may be authorized by the user to access data located within the user's home network (for example, music files present in the user's home media server). In this case, various security policies to which the VN must conform to should be configured before the VN is allowed to access the user's home network.
A policy server (security managing apparatus) located within the DMZ (De-Militarized Zone), which is situated between the user's home network and a foreign network, can implement such security policies for the VNs, as defined in “Benchmarking Terminology for Firewall Performance”, Internet Engineering Task Force Request For Comments 2647, August in 1999 (hereinafter “Non-patent Document 3”). The DMZ is situated between the user's home domain and the global Internet.
US Patent Application Publication No. 2004-0120295 (hereinafter “Patent Document 1”) proposes a method of allowing a correspondent node (CN) located within the home network to establish a secure communication channel with a mobile node (MN) that is attached on a foreign link.
A mobile IP proxy along with a VPN (Virtual Private Network) server located within the DMZ will allow the MN and the CN to establish a secure tunnel therebetween.
According to the technique disclosed in Non-patent Document 3, however, as every traffic within the mobile PAN is tunneled between the MR and HA, a VN's packet will therefore bypass the policy server within the DMZ and thus the various security policies that have been set by the user will not be implemented.
In the technique disclosed in Patent Document 1, however, the mobile IP proxy acts as a surrogate HA to the MN and a surrogate MN to the HA. This would mean that the mobile IP proxy would need to have knowledge of security association keys of both the MN and HA. The technique of Patent Document 1 has not taken into account, access control of the VN connected under the control of the MR located in a foreign network.